On 03/19/2013 01:57 PM, Stephen Smalley wrote:
On 03/19/2013 01:42 PM, Daniel Neuberger wrote:
> On 03/19/2013 12:41 PM, Stephen Smalley wrote:
>> Is /opt mounted with nosuid flags? If so, that will suppress the domain
>> transition even if the executable is labeled correctly.
>
> That's it!!! Well mostly... Removing nosuid from /opt and rebooting
> worked except that syslog-ng isn't starting at all now due to the
> following denials:
> -------------
> type=AVC msg=audit(1363713616.722:556): avc: denied { execute_no_trans
> } for pid=5857 comm="syslog-ng"
path="/opt/syslog-ng/libexec/syslog-ng"
> dev=dm-6 ino=190556 scontext=user_u:system_r:syslogd_t:s0
> tcontext=system_u:object_r:syslogd_exec_t:s0 tclass=file
>
> type=SYSCALL msg=audit(1363713616.722:556): arch=c000003e syscall=59
> success=no exit=-13 a0=400740 a1=7fffe72f8908 a2=1a2e5010 a3=0 items=1
> ppid=5849 pid=5857 auid=515 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts1 ses=2 comm="syslog-ng"
> exe="/opt/syslog-ng/sbin/syslog-ng" subj=user_u:system_r:syslogd_t:s0
> key=(null)
>
> type=CWD msg=audit(1363713616.722:556): cwd="/"
>
> type=PATH msg=audit(1363713616.722:556): item=0
> name="/opt/syslog-ng/libexec/syslog-ng" inode=190556 dev=fd:06
> mode=0100755 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:syslogd_exec_t:s0
> -------------
> In plain English from sealert, 'SELinux is preventing syslog-ng
> (syslogd_t) "execute_no_trans" to /opt/syslog-ng/libexec/syslog-ng
> (syslogd_exec_t).'
>
> Is system_u:object_r:syslogd_exec_t:s0 the wrong label for
> /opt/syslog-ng/libexec/syslog-ng? I tried this instead to no avail:
>
> [root@sdi-u-unstable audit]$ chcon system_u:object_r:syslogd_t:s0
> /opt/syslog-ng/libexec/syslog-ng
> chcon: failed to change context of /opt/syslog-ng/libexec/syslog-ng to
> system_u:object_r:syslogd_t:s0: Permission denied
>
> At this point, I'm unsure if it's a labeling problem or if I need to add
> a new rule due to the addition of /opt/syslog-ng/libexec/syslog-ng in
> the newer versions of syslog-ng.
Normally you would only label the entrypoint executable for syslogd
(i.e. the executable invoked to launch syslogd) with syslogd_exec_t, not
helper programs internally called by it. Anything else would get
labeled with a different type, which could just be bin_t for libexec
files. But you may also need to add an allow rule via local policy
module to allow this if it is new behavior for syslog-ng.
Also, what you tried to do (in labeling the libexec file with syslogd_t)
isn't desirable because it conflates a domain type (syslogd_t) used for
processes with a file type (e.g. syslogd_exec_t, bin_t, ...). The only
case where a domain type should appear on a "file" is for the /proc/pid
entries associated with a process in that domain. It shouldn't be used
on regular files.